April 28, 2012

Fuzzer: My first SVG fuzzer (called SVGz)
Options: Switch two randomly selected tags (which is the only one mode at the moment)
Number of template files: 659
Size of the smallest template file: 140 byte
Size of the largest template file: 32M
Number of mutated files to test with: 222,888

The SVG files were processed in the same browser instance until crash occurred, to save some time that bootstrap and shutdown would require. Firefox and Chrome were tested simultaneously, and the test took about 4 days to complete.

April 16, 2012

Microsoft says the behavior of strncpy() is undefined if the source and destination strings overlap. Below is the x86 disassembly code of msvcr100.dll!strncpy to see what behavior we can expect in certain scenarios.

The function is longer than functionally required because, when it's possible, it uses dword size to access to the memory, otherwise it uses byte size.

In the disassembly code below, I highlighted the memory read and write instructions as well as the instructions increment the pointers to the source and destination strings. We will focus on the highlighted areas.

ESI is the pointer in the source string, EDI is the pointer in the destination string. Each time when the memory is read or written either the source or destination pointer is incremented. The value of the increment is either byte or word size.

Let's assume the strings overlap. There are three possible scenarios.

Scenario #1. The pointer to the source string is greater than the pointer to the destination string. We copy the data from the higher memory address to the lower memory address, and we know the strings overlap. Therefore, we will overwrite data in the source string. Since the data is read before it is overwritten, it doesn't lead to misbehavior.

Scenario #2. The pointer to the source string is equal to the pointer to the destination string. Same as Scenario #1.

Scenario #3. The pointer to the destination string is greater than the pointer to the source string. We copy the data from the lower memory address to the higher memory address, and we know the strings overlap. The data in the source string is overwritten before it is read leading to misbehavior.

April 10, 2012

We are just over a long weekend because of Easter bank holidays. It was an opportunity to do some kind of security experiments and I decided to improve my tiny fuzzers, and to run some brief tests with them.

Introduced SVG Fuzzing

I've been thinking about writing an SVG fuzzer for a long time, and now the time has come. It's only a few lines in source so far, and this one is written in C#. In my scenario, I don't think C is a good language to write fuzzer, and to write security testing tools in general. Despite this, I've got all of them written in C. It's time for change because I can see that it's much easier to expand C# program, so I might rewrite some of them. Anyway, the SVG fuzzer is mutation based. It currently supports to mix-up tags only, but has simple functionality to define the number of output files to generate, and the number of fuzzing rounds to apply on each sample. I have to look at the SVG specification and to inspect SVG files in more detail to find out more and more creative test cases.

I've got 130 template files that I currently use. I fuzzed them with the option to generate 1000 altered files from each input files, so all together I've got 130000 files.

The samples were generated to test browsers. When executed the test, Opera, with some exceptions, kept displaying a message "XML parsing failed" rather than showing up broken images. I thought it will pass all test cases because of bailing out early. That was not the case. I encountered some crashes but they all tried to access to memory address near null. At the moment, I don't know code execution is possible with those crashes but probably not. The first crash was at about sample number 1500 though.

When executed the test, Chrome and Firefox popped up JavaScript error messages on several occasions and the tests were stuck in until I manually closed the message boxes. It seemed that both browsers showed broken pictures rather than displaying error messages about failed parsing. None of them crashed though.

I had to disqualify Internet Explorer from the test because it kept popping up error messages, actually several and distinct error messages on all files nearly. I was able to suppress some of them by changing registry entries but still left a lot to resolve, and didn't immediately find a solution, so I consider resolving this in the future, probably in a generic way.

Fuzzing Flash Files

I have had about 5000 template samples, and targeted fuzzing control transfer instructions in a way to change the target addresses of the jumps. Generated about 300000 samples but didn't see Flash player crashing on any sample. Found a couple of infinite loops though.

April 6, 2012

This blog post highlights an interesting part of this factual video (available only in the UK). I'd highlight another part, from the end of the video, that I find also interesting.

One part of the video was about data overload, and how the brain filters the information we need. There was an experiment where satellite images taken of Afghanistan, to locate enemy hosts. But the images are so large and hunting through the pictures cannot be done with computers, and it's very monotonic and slow by doing it manually. In the experiment, the satellite images were randomly separated to hundreds of sub images. Few showed building that the the professor wanted to find. The professor got an EEG cap that monitored his brain activity on the certain part of the brain. He looked at the sample image containing the building and brain signals were recorded by EEG cap. The satellite images started flashing up on the screen, and the professor didn't immediately realize any buildings on them. They created a color map of the brain activity where, for example, the red meant something grabbed his attention. They matched the brain activity with the pictures. When they looked the corresponding picture to the red region, there were buildings on there.

I was smiling when saw this. Not because I don't believe it but on the contrary. Actually, I've been doing this with the exception that I don't wear EEG cap, and I don't look at satellite images. I look at hex dump or at interpreted machine code or at source code. These tend to be huge amount of information to look at by eye. I usually scroll through them quickly and I know that I might miss something but carry on anyway. I just don't know if my unconscious picks up something that I don't immediately realize but I have no reason to disbelieve this video.